MCP Express

Privacy Policy

Effective date: October 19, 2025

Last Updated: October 19, 2025

1. Introduction

We take the protection of your personal data seriously. This Privacy Policy explains how Elephanti Soft UG (haftungsbeschränkt), operating as MCP Express, collects, uses, stores, and protects your personal information in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy applies to all users of the MCP Express platform, including website visitors, free tier users, and paid subscribers.

2. Data Controller

The data controller responsible for the processing of your personal data is:

Elephanti Soft UG (haftungsbeschränkt)
Managing Director: Annemarie Werner
Heinrich-Heine-Str. 10
72810 Gomaringen
Germany

Email: service@elephanti-soft.de
Website: www.mcp-express.com

3. Scope of This Privacy Policy

This Privacy Policy covers:

  • Visitors to our website and marketing pages
  • Users of our free tier services
  • Customers with paid subscriptions (Starter, Professional, Enterprise)
  • Team members added to customer accounts

If you are using MCP Express on behalf of an organization, this policy applies to the personal data we collect about you as an authorized user.

4. Types of Data We Collect
4.1 Account and Registration Data

When you create an account, we collect:

  • Full name
  • Email address
  • Company/organization name
  • Job title (optional)
  • Password (encrypted)
  • Account preferences and settings
4.2 Payment and Billing Information

For paid subscriptions, we collect:

  • Billing name and address
  • Payment method information (processed by Stripe)
  • VAT identification number (if applicable)
  • Transaction history and invoices

Note: We do not store complete credit card details on our servers. Payment card information is collected and stored by our payment processor, Stripe, in accordance with their Privacy Policy and PCI-DSS standards.

4.3 Service Usage Data

When you use MCP Express services, we collect:

  • MCP server configurations and settings
  • API endpoints and connection details you configure
  • Custom code and templates you create
  • Usage metrics (tool calls, server count, feature usage)
  • Performance and error logs
  • API access logs and timestamps
4.4 Customer Content and Credentials

You may provide:

  • API keys and access tokens for third-party services
  • Database connection strings
  • Custom code and scripts
  • Configuration files
  • Data flowing through your MCP servers during operation

Important: We act as a data processor for this content. You remain the data controller and are responsible for ensuring lawful processing.

Data Retention for Debugging and Disputes: Data that flows through your MCP servers is temporarily retained for 30 days for:

  • Technical troubleshooting and debugging at your request
  • Dispute resolution (proving data was processed correctly)
  • Service quality verification

After 30 days, this data is automatically deleted unless it is subject to an active dispute or legal hold. You may request earlier deletion by contacting us.

4.5 Team and Collaboration Data

For team features:

  • Team member names and email addresses
  • Role and permission assignments
  • Team collaboration activity
4.6 Automatically Collected Technical Data

When you visit our website or use our platform:

  • IP address
  • Browser type and version
  • Operating system
  • Device type and screen resolution
  • Referring URLs and pages visited
  • Date, time, and duration of visits
  • Click patterns and user interactions
  • Cookies and similar tracking technologies
4.7 Communication Data

When you contact us:

  • Support ticket content and correspondence
  • Feedback and survey responses
  • Email communications
  • Chat messages (if applicable)
5. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

5.1 Contractual Necessity (Art. 6(1)(b) GDPR)

Processing is necessary to provide our services and fulfill our contractual obligations to you:

  • Account creation and management
  • Service delivery and platform access
  • Payment processing and billing
  • Customer support
  • Team collaboration features
5.2 Legitimate Interest (Art. 6(1)(f) GDPR)

Processing is necessary for our legitimate business interests:

  • Platform security and fraud prevention
  • Service improvement and optimization
  • Analytics and usage statistics
  • Technical troubleshooting and debugging
  • Internal business operations
  • Compliance with legal obligations

We have assessed that these legitimate interests are not overridden by your data protection rights.

5.3 Consent (Art. 6(1)(a) GDPR)

With your explicit consent for:

  • Marketing communications and newsletters
  • Optional analytics and tracking cookies
  • Testimonials and case studies using your information

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

5.4 Legal Obligation (Art. 6(1)(c) GDPR)

Processing is necessary to comply with legal requirements:

  • Tax and accounting obligations
  • Regulatory compliance
  • Response to lawful requests from authorities
6. How We Use Your Data

We use your personal data for the following purposes:

6.1 Service Provision
  • Create and manage your account
  • Provide access to MCP Express platform features
  • Process MCP server configurations and execute tool calls
  • Store and manage your custom code and templates
  • Enable team collaboration and access controls
6.2 Billing and Payment
  • Process subscription payments via Stripe
  • Generate invoices and receipts
  • Handle billing inquiries and disputes
  • Manage subscription upgrades and downgrades
6.3 Customer Support
  • Respond to support requests and inquiries
  • Troubleshoot technical issues
  • Provide guidance on platform features
  • Investigate and resolve service problems
6.4 Platform Improvement
  • Analyze usage patterns and feature adoption
  • Identify and fix bugs and performance issues
  • Develop new features based on user needs
  • Optimize platform performance and reliability
6.5 Security and Fraud Prevention
  • Monitor for suspicious activity and unauthorized access
  • Implement security measures and access controls
  • Investigate security incidents
  • Prevent fraud and abuse of services
6.6 Communications
  • Send service-related notifications and updates
  • Provide important account information
  • Share platform updates and new features
  • Respond to your inquiries
6.7 Marketing (With Consent)
  • Send promotional emails and newsletters
  • Inform you about new features and offerings
  • Provide educational content and resources

You can opt out of marketing communications at any time by clicking the unsubscribe link in emails or contacting us.

6.8 Legal Compliance
  • Fulfill tax and accounting requirements
  • Respond to legal requests and court orders
  • Comply with regulatory obligations
  • Protect our legal rights and interests
7. Data Sharing and Sub-processors

We do not sell your personal data to third parties. We share your data only in the following circumstances:

7.1 Service Providers (Sub-processors)

We work with trusted third-party service providers who process data on our behalf:

Payment Processing:

  • Stripe (USA/EU) – Payment processing and billing
  • Purpose: Process subscription payments and manage billing

Infrastructure and Hosting:

  • Amazon Web Services (AWS) (EU Region) – Cloud infrastructure and data storage
  • Purpose: Host platform, store data, and deliver services

Analytics:

  • Google Analytics (USA – Google LLC) – Website and platform analytics
    • Purpose: Understand usage patterns and improve user experience
    • Data transfers: Standard Contractual Clauses and EU-US Data Privacy Framework
  • Microsoft Clarity (USA – Microsoft Corporation) – User behavior analytics
    • Purpose: Session recordings and heatmaps to improve user experience
    • Data transfers: Standard Contractual Clauses and EU-US Data Privacy Framework

Email Services:

  • Microsoft 365 (USA/EU – Microsoft Corporation) – Business email and communications
    • Purpose: Send service notifications, support responses, and communications
    • Data transfers: EU data centers available; Standard Contractual Clauses for US transfers

Customer Support:

  • Atlassian Jira (USA/Australia – Atlassian) – Support ticket management
    • Purpose: Provide customer support and track issues
    • Data transfers: Standard Contractual Clauses

A complete and current list of sub-processors is available at https://www.mcp-express.com/sub-processors-list/ and will be updated as we add or change providers.

7.2 Sub-processor Safeguards

All sub-processors are:

  • Contractually bound to protect your data
  • Required to comply with GDPR standards
  • Subject to data processing agreements
  • Selected based on their security and privacy practices

We will notify you of any changes to sub-processors via email or platform notification at least 30 days in advance.

7.3 Legal Requirements

We may disclose your data when required by law:

  • To comply with legal processes or court orders
  • To respond to lawful requests from government authorities
  • To protect our rights, property, or safety
  • To investigate fraud or security incidents
  • To enforce our Terms of Service
7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. You will be notified of any such change via email and have the opportunity to delete your account before the transfer.

8. International Data Transfers
8.1 Data Storage Location

Your data is primarily stored on servers located in the European Union (AWS EU regions) to ensure GDPR compliance.

8.2 Transfers Outside the EU

Some sub-processors (such as Stripe) may process data in countries outside the European Economic Area (EEA). When we transfer personal data internationally, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with sub-processors outside the EU.

Adequacy Decisions: For transfers to countries with EU adequacy decisions, we rely on the European Commission’s assessment of adequate data protection.

EU-US Data Privacy Framework: For US-based processors certified under the EU-US Data Privacy Framework, we rely on this mechanism for lawful transfers.

8.3 Your Rights Regarding International Transfers

You have the right to obtain information about the safeguards we use for international data transfers. Contact us at service@elephanti-soft.de for more information.

9. Our Role as Data Processor
9.1 Customer Content Processing

When you use MCP Express to create and operate MCP servers, we act as a data processor on your behalf for any personal data that flows through your MCP server configurations.

You are the data controller and are responsible for:

  • Ensuring lawful processing of data through your MCP servers
  • Obtaining necessary consents for data processing
  • Complying with applicable data protection laws
  • Implementing appropriate security measures for your APIs and systems
  • Notifying affected individuals of any data breaches originating from your systems

We, as data processor:

  • Process data only according to your instructions (via platform configurations)
  • Implement appropriate technical and organizational security measures
  • Retain processed data for 30 days for debugging and dispute resolution purposes
  • Assist with data subject requests where technically feasible
  • Notify you of any data breaches affecting your data
  • Delete or return data upon termination of services (after 30-day retention period or earlier upon request)
9.2 Data Processing Agreement

The data processing terms for customer content are incorporated into our Terms of Service. For Enterprise customers, detailed Data Processing Agreements (DPAs) are included in your Master Service Agreement.

10. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy or as required by law.

10.1 Active Accounts
  • Account data: Retained for the duration of your active subscription
  • Customer data flowing through MCP servers: Retained for 30 days after processing
    • Purpose: Debugging, troubleshooting, and dispute resolution
    • Scope: Data processed through your MCP server configurations
    • Note: You can request earlier deletion if needed
    • Exception: Data may be retained longer if subject to an active dispute or investigation
  • Usage data: Retained for 24 months, then anonymized
  • Service logs: Retained for 12 months for security and troubleshooting
10.2 Cancelled Accounts
  • Account and configuration data: Deleted 30 days after cancellation
  • Billing records: Retained for 10 years to comply with German tax law requirements
  • Anonymized analytics: May be retained indefinitely for statistical purposes
10.3 Suspended Accounts
  • Data retention during suspension: 30 days from suspension date
  • After 30 days: All data permanently deleted unless account is reactivated
10.4 Legal Requirements

We may retain data longer if required by law, to resolve disputes, enforce agreements, or protect our legal rights.

10.5 Data Deletion

Upon deletion:

  • Account data is removed from active systems within 30 days
  • Backups are overwritten within 90 days
  • Some metadata may remain in logs for security purposes but is anonymized
11. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

11.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation of whether we process your personal data and to access that data. You can request a copy of your data at any time.

11.2 Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

11.3 Right to Erasure / “Right to be Forgotten” (Art. 17 GDPR)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note: We may retain certain data if required by law (e.g., billing records for tax purposes).

11.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data.

11.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. We provide data export functionality in your account settings.

11.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds that override your interests.

11.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

11.8 Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR)

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

11.9 How to Exercise Your Rights

To exercise any of these rights:

  • Email: service@elephanti-soft.de
  • Subject line: “GDPR Data Subject Request”
  • Include: Your account email and specific request

We will respond to your request within 30 days (or 60 days for complex requests, with notification of the extension).

11.10 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights. The competent supervisory authority in Germany is your state’s data protection authority. For Baden-Württemberg:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
Email: poststelle@lfdi.bwl.de
Website: www.baden-wuerttemberg.datenschutz.de

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration.

12.1 Technical Security Measures

Encryption:

  • Data encrypted in transit using TLS 1.3
  • Data encrypted at rest using AES-256
  • Database encryption for sensitive information
  • Encrypted credential storage

Access Controls:

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) options
  • Password complexity requirements
  • Session management and timeout

Infrastructure Security:

  • Secure cloud infrastructure (AWS)
  • Regular security updates and patches
  • Firewalls and intrusion detection
  • DDoS protection

Application Security:

  • Secure coding practices
  • Regular security testing
  • Vulnerability scanning
  • Code reviews
12.2 Organizational Security Measures
  • Limited employee access to personal data on need-to-know basis
  • Employee training on data protection
  • Confidentiality agreements with employees
  • Incident response procedures
  • Regular security audits
  • Vendor security assessments
12.3 Your Security Responsibilities

You are responsible for:

  • Maintaining confidentiality of your account credentials
  • Using strong, unique passwords
  • Enabling multi-factor authentication
  • Securing your API keys and access tokens
  • Properly configuring your MCP servers and integrations
  • Notifying us immediately of unauthorized access
13. Cookies and Tracking Technologies
13.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. We use cookies and similar technologies to improve your experience, analyze usage, and provide certain functionality.

13.2 Types of Cookies We Use

Essential Cookies (Strictly Necessary):

  • Required for platform functionality
  • Session management and authentication
  • Security and fraud prevention
  • Cannot be disabled without affecting service

Analytics Cookies:

  • Google Analytics – Collect anonymized usage statistics
  • Microsoft Clarity – Session recordings and user behavior analysis
  • Help us understand user behavior and improve the platform
  • Can be disabled via cookie settings

Preference Cookies:

  • Remember your settings and preferences
  • Improve user experience
  • Can be disabled via cookie settings

Marketing Cookies (With Consent):

  • Track effectiveness of marketing campaigns
  • Personalize advertising (if applicable)
  • Require explicit consent
13.3 Cookie Duration
  • Session cookies: Deleted when you close your browser
  • Persistent cookies: Remain on your device for a set period (typically 12-24 months)
13.4 Managing Cookies

You can control cookies through:

  • Our cookie banner: Shown on first visit
  • Cookie settings: Available in your account preferences
  • Browser settings: Most browsers allow you to block or delete cookies

Note: Disabling essential cookies may affect platform functionality.

13.5 Third-Party Analytics Tools

Google Analytics: Google Analytics collects anonymized data about your website usage, including pages visited, time on site, and traffic sources. This data is anonymized and aggregated. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on or through our cookie settings.

Microsoft Clarity: Microsoft Clarity may record user sessions (mouse movements, clicks, scrolling) to help us understand how users interact with our platform. Sensitive information (passwords, payment details, API keys) is automatically masked. You can opt out through our cookie settings.

13.6 Third-Party Cookies

Some third-party services (like Google Analytics and Microsoft Clarity) may set cookies. These are governed by the respective third-party privacy policies:

13.7 Do Not Track

We currently do not respond to “Do Not Track” browser signals, as there is no industry standard for compliance.

14. Third-Party Links and Services

Our platform may contain links to third-party websites or allow integration with third-party services. This Privacy Policy does not apply to third-party sites or services.

We are not responsible for:

  • Privacy practices of third-party websites
  • Content on external sites
  • Security of third-party services you integrate

We recommend:

  • Reviewing privacy policies of third-party services before use
  • Understanding how they collect and use your data
  • Ensuring third-party services comply with applicable laws

Your responsibility:

  • You are responsible for your integrations with third-party APIs
  • Ensure compliance with third-party terms of service
  • Obtain necessary rights and consents for data processing
15. Children’s Privacy

MCP Express is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

If you are under 16, please do not:

  • Create an account
  • Provide personal information
  • Use our services

If we become aware that we have collected personal data from someone under 16, we will delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at service@elephanti-soft.de.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

16.1 Notification of Changes

We will notify you of material changes via:

  • Email to your registered account address
  • In-platform notification when you log in
  • Update to the “Last Updated” date at the top of this Privacy Policy
16.2 Effective Date

Changes become effective:

  • Material changes: 30 days after notification
  • Minor changes: Immediately upon posting
16.3 Your Continued Use

Continued use of our services after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you should discontinue use and may request deletion of your account.

16.4 Previous Versions

Previous versions of this Privacy Policy are available upon request by contacting service@elephanti-soft.de.

17. Data Breach Notification
17.1 Our Obligations

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the competent supervisory authority within 72 hours of becoming aware
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Document the breach and our response measures
17.2 What We Will Tell You

Breach notifications will include:

  • Nature of the breach and data affected
  • Likely consequences of the breach
  • Measures taken to address the breach
  • Contact information for inquiries
  • Recommendations for protective measures you should take
17.3 Your Notification Obligations

If you are a data controller using our platform, you are responsible for notifying your own users if a breach originates from your systems or configurations.

18. California Privacy Rights (CCPA)

While MCP Express is primarily EU-based, we recognize rights under the California Consumer Privacy Act (CCPA) for California residents.

California residents have the right to:

  • Know what personal data we collect and how we use it
  • Request deletion of personal data
  • Opt-out of sale of personal data (we do not sell personal data)
  • Non-discrimination for exercising privacy rights

To exercise CCPA rights, contact us at service@elephanti-soft.de with “CCPA Request” in the subject line.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

Data Controller:
Elephanti Soft UG (haftungsbeschränkt)
Managing Director: Annemarie Werner
Heinrich-Heine-Str. 10
72810 Gomaringen
Germany

Email: service@elephanti-soft.de
Subject line for data requests: “Privacy Inquiry” or “Data Subject Request”

Response time: We aim to respond within 5 business days for general inquiries and within 30 days for formal data subject requests.

20. Data Protection Officer

For questions specifically about data protection:

Contact: service@elephanti-soft.de
Subject line: “Attention: Data Protection”

21. Supervisory Authority

You have the right to lodge a complaint with the data protection supervisory authority:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany

Phone: +49 711 615541-0
Fax: +49 711 615541-15
Email: poststelle@lfdi.bwl.de
Website: www.baden-wuerttemberg.datenschutz.de

Cart (0 items)

Create your account